Meta

Tag: free

Cloudflare has launched new free public DNS resolvers 1.1.1.1 and 1.0.0.1 on April Fools day 2018 (This is not a joke, its a real service). This service competes directly with Google's and OpenDNS's public resolvers.

Cloudflare claims to build the new resolvers with Security and Speed as basic features. Here are the results for latency test for both 1.1.1.1 and 8.8.8.8 from all over the world for comparison (Click on the image to zoom).

Cloudflare

Google

Of course this is just a simple latency test and actual performance may vary depending on different other factors.

Memorable IP Address

Until now Google 8.8.8.8 used to be the most memorable publicly used ip address followed by Level 3's 4.2.2.2. Cloudflare's 1.1.1.1 is not more memorable than Google's 8.8.8.8 but I have to admit its way cooler. This is important because you can use domain names so you dont have to remember ip addresses of websites but you cannot do it with DNS servers and you need to know the ip address.

DNS-over-TLS and DNS-over-HTTPS Support

DNS protocol was not designed with security in mind because at the time it was designed it did not need it. Its not true for today's internet. For that reason CloudFlare's DNS servers support both DNS-over-TLS and DNS-over-HTTPS from day 1.

Fastest DNS Server

Cloudflare has also posted in their blog that DNSPerf has ranked 1.1.1.1 as the fastest DNS server with an average of 14ms of query speed. Of course you will get different results based on your location and whether or not you are a Cloudflare customer.

DNS Query Name Minimisation to Improve Privacy

Cloudflare also supports DNS Query Name Minimisation to Improve Privacy as defined in RFC7816 which means that Cloudflare's DNS resolvers do not send full query to the upstream name servers which reduces the information leaked to upstream DNS servers, like the root and TLDs.

IPv6 Support

Along with 1.1.1.1 and 1.0.0.0.1 Cloudflare has also provided memorable ip addresses for their IPv6 DNS servers 2606:4700:4700::1111 and 2606:4700:4007::1001.

Let's Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.

This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.

Install Certbot

Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.

sudo add-apt-repository ppa:certbot/certbot

This will add the repository from where certbot can be installed

sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for asknetsec.com

-------------------------------------------------------------------------------Please deploy a DNS TXT record under the name_acme-challenge.asknetsec.com with the following value:

Create a text DNS record for the sub-domain _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.

You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/privkey.pem
Your cert will expire on 2018-06-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by: